Kernels/modules versions consistency to boot from snapshots and BTRFS subvolume layout

[Ch4n3-Cookie]

Hello Maxim,

I would like to know if excluding /usr/lib/modules from the root snapshots is necessary to use arch-secure-boot, ensuring the ability to boot from snapshots and maintain consistency between the kernel and their modules versions across all snapshots.

Additionally, I would like to ask if there are any other BTRFS subvolumes that need to be created to facilitate booting from snapshots using UKI?

Apologies if my questions aren't exactly specific to your project, and thank you in advance for your answers.

[maximbaz]

Hello!

I don't think any specific subvolume is mandatory for booting from a snapshot, but I suppose it also depends on what you are planning to do with it. I always treated this as a more convenient alternative to "live usb", where I would boot from snapshot just to fix something on the main subvolume (e.g. mount main subvolume and fix a config file), so I didn't really go for any consistency, it was enough for me if the system could boot in readonly mode.

Here's the list of subvolumes I personally use on Arch:

https://github.com/maximbaz/dotfiles/blob/master/install.sh#L157-L166

Does this help? 🙃

[Ch4n3-Cookie]

Thanks a lot for the clarifications!

I was told that it is not possible to boot from snapshots where the kernel changed in between. But you confirmed me we can do it anyway.

Regarding my use case for snapshots, I should have been more explicit. I would like to use them primarily for rollback purposes, meaning making a read-write copy of a snapshot and modify the default subvolume to boot from. So I would need to be able to use the snapshots file system as is. This is maybe the reason why I was advised to either exclude /usr/lib/modules from snapshots and use a fallback/recovery UKI, or to install the relevant older kernel and, I suppose, rebuild a UKI for this kernel version.

In your case, you don't have to go through all that trouble, because you are using snapshots as temporary bootable devices.

Am I getting this right?

Thanks again for your explanation and sharing your setup layout.

[maximbaz]

Looking a bit more into it, it sounds like you have gotten a good advice actually, on putting /usr/lib/modules into a separate subvolume - from what I could understand, if you don't have the modules for the right kernel version, you might miss some drivers, so depending on the specific hardware, you might succeed in boot or you might not, and if you do succeed, some devices might work and others might not. It's very likely that I was for example lucky that I could boot, and I just never noticed that for example webcam was not functional.

It sounds like you are making readonly snapshots, and during recovery you'll boot into a readonly snapshot, make a read write copy of it, and mark it as the new primary, is this right? It should work, but I would certainly recommend you to test this out, and also to have a look at https://github.com/maximbaz/arch-secure-boot/issues/27 - apparently some folks are having troubles booting in readonly snapshots, even though I never had such issues.

[Ch4n3-Cookie]

Looking a bit more into it, it sounds like you have gotten a good advice actually, on putting /usr/lib/modules into a separate subvolume - from what I could understand, if you don't have the modules for the right kernel version, you might miss some drivers, so depending on the specific hardware, you might succeed in boot or you might not, and if you do succeed, some devices might work and others might not. It's very likely that I was for example lucky that I could boot, and I just never noticed that for example webcam was not functional.

At the time of opening this issue, I was worried that I had raised a redundant problem. But it turns out it was worth. Thank you for your confirmation.

It sounds like you are making readonly snapshots, and during recovery you'll boot into a readonly snapshot, make a read write copy of it, and mark it as the new primary, is this right?

That is right. I will be using Snapper for creating my snapshots which, by default, are read-only.

It should work, but I would certainly recommend you to test this out, and also to have a look at #27 - apparently some folks are having troubles booting in readonly snapshots, even though I never had such issues.

Thank you for pointing this out to me. I have been looking into it and the grub-btrfs documentation appears to be a valuable resource for addressing related issues, although I would like to avoid using GRUB if possible. Based on my research, I plan to have a subvolume for /var/log and have learnt that booting from read-only snapshots is not an issue with Plasma/SDDM, which will be my primarily desktop environment (grub-btrfs issue #214).

I have also read about using Overlayfs to mount read-only snapshots, if the previous options would still not work. If that's the case, according to grub-btrfs documentation, generating my initrd image with Dracut for simplicity, because I need systemd-cryptsetup-generator to unlock my encrypted partitions.

To keep mkinitcpio, I would have to dive into systemd-unit-related matters or consider a workaround, such as a script embedded in the initramfs image as suggested in this blog post, from my limited understanding. However, I would prefer not to delve too deep into this, given my limited experience with Linux.

[maximbaz]

Hey, just wanted to check-in if you succeeded in what you were doing, and if you had any more questions? And that I didn't miss any questions addressed to me? Otherwise should we close the issue? :slightly_smiling_face:

[Ch4n3-Cookie]

Hey Maxim,

Firstly I want to apologise for the delayed response and thank your for checking-in. I actually had to postpone my installation attempt because of work related challenges. I will try again when I'll have more spare time.

I reviewed our conversation and I think you have already addressed my primary concerns. I think I can make it work on my own. However, I would greatly appreciate if you can give me your opinion about the solutions I'm considering to solve potential issues related to booting read-only snapshots. Do they make any sense?

Thanks again in advance for your help!

[maximbaz]

Hello,

Yeah the ideas you found all seem reasonable to me, with a caveat that I don't have any personal experience with overlayfs, and limited experience with dracut 🙃

Do let me know how it went once you find the time to try this out, I hope readonly snapshots will actually work for you, so that you don't need to spend a lot of time on this.

Good luck!

Will close the issue, but don't hesitate to write either here or in a new issue!